Subscribe

Does the Xiaomi Mi4 LTE come preinstalled with malware? (+update)

According mobile security company Bluebox, it appears Xiaomi's Mi4 LTE comes preinstalled with 'shady' apps that leave the phone vulnerable.

  • close
    Three models of China's Xiaomi Mi phones during their launch in New Delhi. By 2015, some smartphones and smartwatches are going to be as cheap as $60 and $30. Chinese company Xiaomi sells a fitness tracker for just $13.
    Reuters/Anindito Mukherjee/File
    View Caption
  • About video ads
    View Caption
of

Update: Xiaomi issued the following statement, "As this device is not an original Xiaomi product, and not running an official Xiaomi MIUI software build, Bluebox’s findings are completely inaccurate and not representative of Xiaomi devices. We believe Bluebox jumped to a conclusion too quickly without a fully comprehensive investigation (for example, they did not initially follow our published hardware verification process correctly due to language barrier) and their attempts to contact Xiaomi were inadequate, considering the severity of their accusations."

While it's not hard for an unsophisticated user to contract malware on an Android phone, Chinese phone manufacturer Xiaomi may have made the entire process a little bit easier. The Xiaomi Mi4 LTE, a top-selling smartphone in China, reportedly comes with malware built-in and a shoddy, vulnerable version of Android on top of that.

Bluebox, a San Francisco-based mobile-security company, got its hands on a brand-new Mi4 LTE from China. After extensive testing to ensure that the device was the genuine article (counterfeit smartphones are common in China), the company published its unsettling findings: The Mi4 LTE appears to be unsafe to use from the moment you take it out of the box.

Recommended: Foreign companies that beat Silicon Valley at its own game

Using several Android antivirus scanners, Bluebox discovered that the phone contained at least six shady apps. Three in particular were pernicious enough to warrant special mention.

The first, Yt Service, enables a piece of adware known as DarthPusher, which fills the device with intrusive ads. Even more troubling is that Yt Service tricks the phone into thinking that it comes directly from Google, which would likely allay the average Android user's fears about the program.

Another piece of risky software, PhoneGuardService, is arguably worse, as it's actually classified a Trojan, malware disguised as a legitimate app that could allow malefactors to hijack the phone.

On the other hand, the last suspicious app, AppStats, is considered "riskware." It's not harmful in and of itself, but acts as a tempting target for purveyors of malware as a gateway into the rest of the phone.

When Bluebox ran its own Trustable app, which evaluates a phone's overall security, the Mi4 LTE was open to all seven Android vulnerabilities that Trustable checks for, except the well-known Heartbleed flaw, which was patched after Android 4.1.1. Jelly Bean.

The vulnerabilities may be there because the smartphone uses Xiaomi's own open-source MIUI build of Android, which has not been certified by Google. Although Google and Android are often synonymous in the West, Android is actually open-source Linux software, and anyone can take the stock Android image and build on it. Google is only one of many companies with an Android ecosystem to call its own. (Due to Google's  issues with the Chinese government, the Google Play store and other Google apps are not common in Chinese phones made for the domestic market.)

The result is that the Mi4 LTE's Android build is an exploitable hodgepodge of two different versions of Android, KitKat and Jelly Bean, and is uniquely vulnerable to security flaws from each. On top of that, the device comes pre-rooted, as though it were a developer version, meaning that third-party software can run more or less unchecked. Infecting a rooted phone is somewhat easier than infecting a device with a certified Android build.

As the phone that Bluebox tested is the real deal, these flaws are most likely present on other brand-new Mi4 LTEs. Xiaomi has not responded to the company's queries, nor has it acknowledged the device's purported security flaws.

If you were planning to import an Mi4 LTE, you may want to reconsider. If you've already done so, your safest bet might be to root the device and install a Google-approved version of Android.

About these ads
Sponsored Content by LockerDome
 
 
Make a Difference
Inspired? Here are some ways to make a difference on this issue.
FREE Newsletters
Get the Monitor stories you care about delivered to your inbox.
 

We want to hear, did we miss an angle we should have covered? Should we come back to this topic? Or just give us a rating for this story. We want to hear from you.

Loading...

Loading...

Loading...

Save for later

Save
Cancel

Saved ( of items)

This item has been saved to read later from any device.
Access saved items through your user name at the top of the page.

View Saved Items

OK

Failed to save

You reached the limit of 20 saved items.
Please visit following link to manage you saved items.

View Saved Items

OK

Failed to save

You have already saved this item.

View Saved Items

OK